Page 1 of 42

Trojan SpyEye (alias Pincav)

Posted: Tue Mar 30, 2010 1:29 pm
by cjbi

Re: Trojan SpyEye (alias Pincav)

Posted: Tue Mar 30, 2010 1:40 pm
by EP_X0FF
Thanks for the samples :)

Seems to be It was reviewed by me here

It is using payload dll memory injection to running processes. When injecting trojan using simple loader so antirootkits will not flag it as hidden, because Windows loader wasn't used.
Rootkit performing hooking of these functions (if appreciate dll is loaded)
ntdll.dll-->NtEnumerateValueKey
ntdll.dll-->NtQueryDirectoryFile
ntdll.dll-->NtResumeThread
ntdll.dll-->NtVdmControl
ntdll.dll-->LdrLoadDll
user32.dll-->TranslateMessage
wininet.dll-->InternetCloseHandle
wininet.dll-->HttpSendRequestA
wininet.dll-->HttpSendRequestW
ws2_32.dll-->send

Re: Trojan SpyEye (alias Pincav)

Posted: Fri Apr 02, 2010 3:05 pm
by vCatcher
Hello
Here is very simple cleaner i wrote.I have tested it with samples posted in this thread.
Im not sure which version of trojan it is,but cleaner should work on all versions.
I would be thankfull for samples when Trojan changes its file-paths or add self-protection
so i could update cleaner.

output:
SpyEyeCleaner version v1.00
SpyEye Infection detected,cleaning ...
Removing "C:\cleansweep.exe\cleansweep.exe": OK
Removing "C:\cleansweep.exe\config.bin": OK
Removing "C:\cleansweep.exe": OK
Removing SpyEye autostart key: OK
All SpyEye components removed from system
Now restart system to complete cleaning

link: http://rapidshare.com/files/371173568/S ... r.rar.html
md5 of binary:A99BEB87ECDBA9B6D81113FBB1B5E659

Re: Trojan SpyEye (alias Pincav)

Posted: Fri Apr 02, 2010 5:47 pm
by EP_X0FF
Hello,

thank you for your tool and time, perhaps it will be helpful for somebody.
vCatcher wrote:I would be thankfull for samples when Trojan changes its file-paths or add self-protection
so i could update cleaner.
Sure of course. If this malware will be updated, it will be posted here.

Regards.

Re: Trojan SpyEye (alias Pincav)

Posted: Sat Apr 03, 2010 2:40 pm
by cjbi
Mutex name is changed to "__SPYNET__".

VirusTotal result

http://www.virustotal.com/analisis/e724 ... 1270298386

Re: Trojan SpyEye (alias Pincav)

Posted: Mon Jul 05, 2010 5:10 am
by EP_X0FF
Some new info about SpyEye :)

Crapware author name is Gribodemon.

http://www.wasm.ru/forum/viewtopic.php?id=35855 (author has some troubles with NtDeleteFile)
hxxp://forum.zloy.bz/showthread.php?p=4810658
hxxp://damagelab.org/lofiversion/index.php?t=18763&st=30

Links including v1.2 info.

+ some sample from May 2010.

http://www.virustotal.com/analisis/e310 ... 1278309507

Re: Trojan SpyEye (alias Pincav)

Posted: Mon Jul 05, 2010 6:07 am
by EP_X0FF
vCatcher wrote:Hello
Here is very simple cleaner i wrote.I have tested it with samples posted in this thread.

link: http://rapidshare.com/files/371173568/S ... r.rar.html
md5 of binary:A99BEB87ECDBA9B6D81113FBB1B5E659
Link is dead so I can't test your tools against current version I have.
This file is neither allocated to a Premium Account, or a Collector's Account, and can therefore only be downloaded 10 times.
This limit is reached.

Re: Trojan SpyEye (alias Pincav)

Posted: Tue Jul 06, 2010 2:50 pm
by PX5
nerukabbcompany.com/fgdhfgvcryegf/bin/build.exe.crypted.exe was first release

nerukabbcompany.com/fgdhfgvcryegf/bin/build.exe is current

nerukabbcompany.com/fgdhfgvcryegf/bin/ is open directory :lol:

Re: Trojan SpyEye (alias Pincav)

Posted: Tue Jul 06, 2010 3:09 pm
by EP_X0FF
Thanks :)

Unpacked trojan seems to be belongs to newest SpyEye variants 1.2.4 (with screenshots feature).

SpyEye executable now randomly named and placed in randomly named directory.

Example from infected machine
C:\xgukxzrvux.exe\xgukxzrvux.exe
In attach you will find SpyEye's config data recovered by me from this bot posted above (archive recovered, spyeye pass removed).

Enjoy.

Re: Trojan SpyEye (alias Pincav)

Posted: Tue Jul 06, 2010 7:21 pm
by PX5
Think it is this one seems very mean, steals my other malware and or cause other running malware to bugout.

If not this is the other version I see of cleansweep.exe with cleansweepudp.exe I think.....think being keyword here! ;)